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Abstract 

Quantum algorithms for factoring and discrete logarithm have pre- 
viously been generalized to finding hidden subgroups of finite Abelian 
groups. This paper explores the possibility of extending this general view- 
point to finding hidden subgroups of noncommutative groups. We present 
a quantum algorithm for the special case of dihedral groups which de- 
termines the hidden subgroup in a linear number of calls to the input 
function. We also explore the difficulties of developing an algorithm to 
process the data to explicitly calculate a generating set for the subgroup. 
A general framework for the noncommutative hidden subgroup problem 
is discussed and we indicate future research directions. 



1 Introduction 

All known quantum algorithms which run super-polynomially faster than the 
most efficient probabilistic classical algorithm solve special cases of what is 
called the Abelian Hidden Subgroup Problem. This general formulation in- 
cludes Shor's algorithms for factoring and finding discrete logarithms [jTq| , 
A very natural question to ask is if quantum computers can efficiently solve the 
Hidden Subgroup Problem in noncommutative groups. This question has been 
raised regularly HI, 11, 12, 13], and seems important for at least three reasons. 



The first reason is that determining if two graphs are isomorphic reduces 
to finding hidden subgroups of symmetric groups. The second reason is that 
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the noncommutative hidden subgroup problem arguably represents a most 
natural line of research in the area of quantum algorithmics. The third reason 
is that an efficient quantum algorithm for a hidden subgroup problem could 
potentially be used to show an exponential gap between quantum and classical 
two-party probabilistic communication complexity models M, 0|. 

The heart of the idea behind the quantum solution to the Abelian hidden 
subgroup problem is Fourier analysis on Abelian groups. The difficulties of 
Fourier analysis on noncommutative groups makes the noncommutative ver- 
sion of the problem very challenging. 

In this paper, we present the first known quantum algorithm for a noncom- 
mutative subgroup problem. We focus on dihedral groups because they are 
well-structured noncommutative groups, and because they contain an expo- 
nentially large number of different subgroups of small order, making classical 
guessing infeasible. Our main result is that there exists a quantum algorithm 
that solves the dihedral subgroup problem using only a linear number of eval- 
uations of the function which is given as input. This is the first time such a 
result has been obtained for a noncommutative group. However, we hasten to 
add that our algorithm does not run in polynomial time, even though it only 
uses few evaluations of the given function. The reason for this is as follows: 
The algorithm applies a certain quantum subroutine a linear number of times, 
each time producing some output data. The collection of all the output data 
determines the hidden subgroup with high probability. We know how to find 
the subgroup from the data in exponential time, but we do not know if this 
task can be done efficiently. 

Three important questions are left open. The first question is if there exists 
a polynomial-time algorithm (classical or quantum) to postprocess the output 
data from our quantum subroutine. The second is whether our algorithm can 
be used to show an exponential gap between quantum and classical probabilis- 
tic communication complexity models, as mentioned above. Currently, the 
state-of-the-art is an exponential separation between error-free models, and a 
quadratic separation between probabilistic models || . The third open question 
is for what other noncommutative groups similar results can be obtained. 

2 Algorithm for dihedral groups 

The Hidden Subgroup Problem is defined as follows: 

Given: A function 7 : G —* R, where G is a finite group and R an arbitrary 
finite range. 

Promise: There exists a subgroup H ^ G such that 7 is constant and distinct 
on the left cosets of H. 
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Problem: Find a generating set for H. 



We say of such a function 7 that it fulfills the subgroup promise with respect 
to H. We also say of 7 that it has hidden subgroup H. Note that we are not 
given the order of H. Without loss of generality we assume 7 is constant and 
distinct on left cosets because we may formally rename group elements and 
convert multiplication on the right to multiplication on the left. 

If G is Abelian, then we refer to this problem as the Abelian Subgroup 
Problem. Similarly, if the given group is dihedral, then we refer to it as the 
Dihedral Subgroup Problem. Classically, if 7 is given as a black box, then the 
Abelian subgroup problem is infeasible: If G = ZJ? , then just to determine if 
H is non-trivial or not takes time exponential in n [jT^| . Here, Z 2 denotes the 
cyclic group of order 2. In contrast, the Abelian subgroup problem can be 
solved efficiently on a quantum computer ||, |8[ 13, 16, 17]. 



Theorem 1 Let 7 : G — > R be a function that fulfills the Abelian subgroup 
promise with respect to H. There exists a quantum algorithm that outputs 
a subset X C G such that X is a generating set for H with probability 
at least 1 — 1/\G\, where \G\ denotes the order of G. The algorithm uses 
0(log |G|) evaluations of 7, and runs in time polynomial in log |G| and in the 
time required to compute 7. 

We review the quantum solution to the Abelian subgroup problem in terms 
of group representation theory in Section || below. For other reviews, see for 
example M, p|. 



The dihedral group of order 2N is the symmetry group of an A r -sided 
polygon. It is a semidirect product of the two cyclic groups Zjv and Z2 of 
order N and 2, respectively. It is isomorphic to the group 

D N = Z N x <j) Z 2 (1) 

with the multiplication defined by 

(a 1 ,b 1 )(a 2 ,b 2 ) = (di + 0(&i)(a 2 ), h + b 2 ), 

where the homomorphism <j) : Z 2 — > Aut(Zjv) is defined by 1 1 — >• (f)(1)(a) = —a. 

Theorem 2 (Main theorem) Let 7 : Dn —> R be a function that fulfills the 
dihedral subgroup promise with respect to H. There exists a quantum algorithm 
that given 7, uses (9(logiV) evaluations of 7 and outputs a subset X C Dn 
such that X is a generating set for H with probability at least 1 — . 
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Theorem || constitutes our main result that the dihedral subgroup problem 
can be solved with few applications of the given function 7. The essential step 
in the proof is that it is possible to find subgroups of order 2. The dihedral 
group Dn contains N + 1 different subgroups of order 2 if N is even, and N 
different subgroups of order 2 if N is odd. 

So, even if we are promised that the hidden subgroup is of that order, a 
straight-forward approach to find its generator would take time exponential 
in log(iV). Theorem || entails that we can find the generator with an expected 
number of evaluations of 7 only linear in logiV. 

Theorem 3 Let 7 : Dn — ► R be a function that fulfills the dihedral subgroup 
promise with respect to H , where H is either the trivial subgroup, or H = 
{(0,0), (ko, 1)} f or some < ko < N. There exists a quantum algorithm that 
given j, uses at most 89 log (iV) + 7 evaluations oj '7 and outputs either "trivial" 
or the value ko- If H is trivial then the output is always "trivial", and if H is 
non-trivial then the algorithm outputs ko with probability at least 1 — ^ . 

We first give the reduction of the general problem given in Theorem [2] to 
the special case in Theorem |3[ 

Proof of Theorem ^ Let 71 denote the restriction of 7 to the cyclic subgroup 
%N x {0} < D N of order N. Then 71 : Z N x {0} -> R fulfills the Abelian 
subgroup promise with respect to H\ = H n (Z^r X {0}). By Theorem [j], we 
can, by using O(logJV) evaluations of 71, find a subset X\ C H\ so that X\ 
generates H\ with probability at least 1 — 1/N . 

The subgroup (X\) ^ D]y is normal in Dn, and the factor group D^/{X\) 
is isomorphic to Dm where M = min{l < j < N | (j, 0) € (Xi)}. Since 
7 is constant on the cosets of (X±), we can consider 7 a function 72 on Dm- 
Then 72 : Dm — > R fulfills the dihedral subgroup promise with respect to some 
subgroup H 2 < Dm- 

Suppose (X\) = Hi- Then either H2 = {(0,0)} is the trivial subgroup, 
or H2 = {(0, 0), (ko, 1)} for some < ko < M. Further, if H2 is trivial then 
H = (X,), and if H 2 = {(0,0), (k , 1)} then H = (X l7 (k , 1)). 

We now apply the algorithm in Theorem || with 72 : Dm — ► R, producing 
either "trivial" or k . We repeat this t = [log(2JV)/log(2M)] times in total, 
ensuring we will find k with probability at least 1 - l/(2Mf > 1 - 1/2N, 
provided ko exists. If we obtain ko, then let X = X\ U {(ko, 1)}, and otherwise 
let X = Xt. 

If X\ generates H\, then with probability at least 1 — 1/2N we have 
H = (X). Since X\ generates Hi with probability at least 1 — 1/N, the 
overall success probability is at least (1 - l/iV)(l - 1/2N) > 1 - 2/N. The 
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total number of evaluations of 7 is at most 0(log N) + 1(89 log M + 7), as each 
evaluation of 71 and 72 requires one evaluation of 7. □ 



We assume that the reader is familiar with the basic notions of quantum 
computation || . The quantum algorithm we shall use to prove Theorem || is 

V 7 = (Fjy®W8l) o U 7 o (P^«W«I). (2) 

Here, U 7 is any unitary operator that satisfies that 

U 7 |a)|6>|0) = |a)|6)| 7 (a,6)> (3) 

for all < a < N and < b < 1. The operator F^v is the quantum Fourier 
transform for Zat defined by 

F ^> = 7^E^'>> ( 4 ) 

V 3=0 

where con = e 2w ^~^^ N is the Nth. principal root of unity. When N = 2, then 
the Fourier transform F2 is equal to the Walsh-Hadamard transform W which 
maps a qubit in state \b) to the superposition ^j(|0) + (— 1) 6 |1)). 

Suppose for a moment that we were not given a function defined on 
the dihedral group = Z^ ^2, but instead a function defined on 
the Abelian group Z^v X Z2. Or equivalently, suppose for the moment that 
4> : Z2 — > Aut(ZTv) is the trivial homomorphism. Then by Theorem we can 
find any hidden subgroup with probability exponentially close to 1 by applying 
the experiment 

(a,b)=M 1>2 oV 7 |0)|0)|0> (5) 

a number of 0(log N) times. Here, A4\ t 2 denotes a measurement of the first 
two registers with outcome (a,b). A natural question to ask is, how much 
information, if any, would we gain by performing the experiment given in 
Equation [| when 7 is defined on Djv and not on Zjy x Z2. The next lemma 
shows that we indeed learn something. 

Lemma 4 Let 7 : Dn — * R fulfill the subgroup promise with respect to H = 
{(0, 0), (ko, 1)}- Then, if we apply quantum algorithm V 7 on the initial state 
|0)|0)|0), the probability that the outcome of a measurement of the first two 
registers is (a,0), is 

2^(1 + cos^vrfcoa/AO) = ^ cos 2 (nk a/N). (6) 
Furthermore, the probability that the outcome is (a, 1), is jj sin 2 (7rkoa/N). 
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Let Z denote the discrete random variable denned by the probability mass 
function 

Prob[Z = z] = a cos 2 (nk z/N) (z£Z N ), 

where a = 1/N if ko = or 2ko = N, and a = 2/N otherwise. Lemma || 
provides us with a quantum algorithm for sampling from Z. Intuitively, since Z 
is non-uniformly distributed on 7Ln depending on ko, the more samples we draw 
from Z, the more knowledge we gather about ko- The crucial question therefore 
becomes, how many samples from Z do we need to be able to identify ko 
correctly with high probability. Theorem || below states that we only need a 
logarithmic number of samples. We postpone its proof till the next section. 

Theorem 5 Let m > |~641niVl, and let z\,...,z m be independent samples 
from Z. Let k € {1, . . . , [-/V/2J} be such that the sum Y^Li cos(2irkzi/N) is 
maximal. Then k = min{/co, N — ko} with probability at least 1 — Jkj. 

Proof of Theorem ^| The algorithm starts by disposing the possibility that 
ko = by computing 7(0,0) and 7(0,1). If the two values are equal, then 
the algorithm outputs the value and stops. If N is even, then the algorithm 
proceeds by disposing the possibility that ko = N/2, too. 

Now, the algorithm applies the quantum experiment given in Equation || 
a number of m' = 2 [64 In N\ times. Let m denote the number of times it 
measures a in the second register. Let {a\, . . . , a m } denote the outcomes in 
the first register, conditioned to that the measurement of the second register 
yields a zero.[] 

Suppose m > m'/2. The algorithm continues with classical post- 
processing: It finds 1 < k < [N/2\ such that the sum YliL 1 cos(2nkai/N) 
is maximized. It then computes "y(k,l) and compares it with the previous 
calculated value 7(0,0). If they are equal, it outputs k and stops. Otherwise, 
it performs the same test for 7(iV — k, 1). If that one also fails, it outputs 
"trivial" . 

If m < m'/2, then the algorithm performs the same classical post- 
processing, except that it uses the m! — m measurements for which the output 
in the second register is 1, and except that it now seeks to maximize the sum 

If H is trivial, then the algorithm returns "trivial" with certainty. 
If H = {(0, 0), (ko, 1)}, then it outputs ko with probability at least 1 — 1/2N 
by Theorem ||. The total number of evaluations of 7 is upper bounded 
by m! + 5 < 89 log N + 7. □ 

1 Alternatively, we could apply amplitude amplification [|| to ensure that we will always 
measure in the second register, instead of as here, only with probability 1/2. 
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3 Proof of Theorem |5] 



The proof of Theorem [| requires two lemmas, the first of them being a result 
by Hoeffding [1C] on the sum of bounded random variables. Hoeffding's lemma 
says that the probability that the sum of m independent samples are off from 
its expected value by a constant fraction in m drops exponentially in to. 



Lemma 6 (Hoeffding) Let Xi,...,X m be independent identically distri- 
buted random variables with t < Xi < u. Then, for all a > 0, 

Prob[S - E[S] > am] < g - 2 « 2 ™/M 2 



where S = YliLi ^-i- 

Let < k < N, and suppose we want to test if k = ko or k = N — ko, 
where ko is given as in Lemma Q Clearly, we can answer that question just by 
testing if 7(0, 0) = j(k, 1) or 7(0, 0) = j(N — k, 1). Lemma |7| provides us with 
another probabilistic method: First draw m samples {zi} r ^] =1 from Z, and then 
compute the sum Y17=i cos(2nkzi/N). Conclude that k ^ ko and k ^ N — ko 
if and only if that sum is at most to/4. 



Lemma 7 Let < k < N. Let z%, . . . , z m be to independent samples from Z. 
Then with probability at most e _m//32 ; we have 

m 

^2 cos(2vr kzi/N) < to/4 
i=l 

if k = ko or k = N — ko, and 

m 

y2cos(2nkzi/N) > to/4 

8=1 

otherwise. 



Proof Let / denote the function of Z defined by f(z) 
let X = /(Z) denote the random variable defined by /. 
and the expected value of X is 



= cos(27rkz/N), and 
Then -1 < X < 1 



E[X] 



if 2k = 2k = N 

if either k = ko or k = N 

otherwise. 
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If k 7^ ko and k ^ N — ko, then apply Hoeffding's lemma on m independent 
random variables all having the same probability distribution as X. If k = ko or 
k = N — ko, then apply Hoeffding's lemma on m independent random variables 
all having the same probability distribution as the random variable E[X] — X. 

□ 

If we are only concerned about testing for a specific < k < N if k = ko 
or k = N — ko, then Lemma [7| is not beneficial since we could just test if 
7(0,0) = j(k, 1) or 7(0,0) = 7(iV — k, 1). But since we want to test all 
possible values of k, and not only a single one, then the method yielded by 
Lemma becomes valuable, provided we can reuse the same m samples in all 
tests. We now prove Theorem |5| by showing that, given a set of m samples, 
then it is very likely that the sum 1 cos(2irkzi/N) is larger than m/4 if 
and only if k = ko or k = N — ko. 

Proof of Theorem ||] This is a simple consequence of Lemma 0. Let k' = 
minjfco, N — ko}. The probability that X^ii cos{2i:k l QZi / N) < m/4 is at most 
e -m/32 <- i_ Furthermore, for all integers < k < N/2 not equal to k' , the 
probability that Y^h=i cos(27rkzi/N) > m/4 is also at most jb- If fc 7^ k' , then 
one of these \_N/2\ events must have happened, and the probability for that 
is upper bounded by \J^\ < □ 



4 Abelian Hidden Subgroups 

Theorem |l| in Section || states that the Abelian subgroup problem can be 
solved efficiently on a quantum computer. The algorithm which accomplishes 
this is most easily understood using some basic representation theory for finite 
Abelian groups which we now briefly review. For more details see the excellent 
references [14, [Tq] . For any Abelian group G the group algebra C[G] is the 
Hilbert space of all complex-valued functions on G equipped with the standard 
inner product. A character of G is a homomorphism from G to C. The set 
of characters admits a natural group structure via pointwise multiplication 
and is a basis for the group algebra. The Fourier transform is the linear 
transformation from the point mass basis of the group algebra to the basis of 
characters. It is known that the quantum Fourier transform may be performed 
in time 0(log 2 |G|) . Finally, for any subgroup H ^ G, there exists a subgroup 
of the character group called the orthogonal subgroup H 1 - which consists of 
all characters x such that x{h) = 1 for all h G H. 

We now sketch the quantum algorithm for solving the Abelian hidden sub- 
group problem. In the interest of clarity we omit all normalization factors in 
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our description. The state of the computer is initialized in the superposition 

£|<7>|7(<?)>- 

We then observe the second register with outcome, say, r £ R. This action 
serves to place the first register into a superposition of all elements that map 
to r under 7. Because 7 is constant and distinct on cosets of H we may write 
the state of the computer as 

\s + h)\r) 

for some coset s + H chosen by the observation of the second register. Since 
we will not use the second register or its contents in the remainder of the 
algorithm, we express the state of the computer as a function of the contents 
of the first register only, ^2 h€H \s + h). We then apply the quantum Fourier 
transform which results in the state 

£ w i fc/ >, 

which may be verified by direct calculation. Finally, we observe the first reg- 
ister. Notice that this results in a uniformly random sample from H^~. 

It can easily be shown that by repeating this experiment of order log \ H- L \ 
times, we find a generating set for H 1 - . The hidden subgroup H ^ G can then 
be calculated efficiently from H 1 - on a classical computer, essentially by linear 
algebra. In summary, the sole purpose of the quantum machine in the above 
algorithm is to sample uniformly from H^~. 



5 A Generalized H 1 - 

We now briefly discuss the main ideas of harmonic analysis on groups, stating 
as facts the main results that we require. For more detailed information see 
the excellent references [14, Let G be a (possibly noncommutative) finite 
group. A representation of G is a homomorphism p : G — > GL(V p ) where V p 
is called the representation space of the representation. The dimension of V p , 
denoted d p , is called the dimension of the representation. The representation p 
is irreducible if the only invariant subspaces of V p are and V p itself. Two 
representations p\ and P2 are equivalent if there exists an invertible linear map 
S : V Pl — > V P2 such that pi(g) = 5 _1 p2(g) S for all g G G. 

Let T = {pi, p2, . . . , p r } be a complete set of inequivalent, irreducible rep- 
resentations of G. Then the identity Yll=id pi = \G\ holds. Furthermore, we 
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may assume that the representations are unitary, i.e., that p(g) is a unitary 
matrix for all g G G and all p G V. The functions defined by pij = p{g)ij for 
1 < i,j < dp are called matrix coefficients, and by the previous identity it 
follows that there are |G| matrix coefficients. It is a fundamental fact that 
the set of all normalized matrix coefficients obtained from any fixed T is an 
orthonormal basis of the group algebra C[G]. The Fourier transform (with 
respect to a chosen T) is a change of basis transformation of the group algebra 
from the basis of point masses to the basis of matrix coefficients. 

If G is commutative, then these definitions reduce to those discussed in 
the previous section, since in that case, all representations are 1-dimensional 
and each matrix coefficient is just a character. If G is noncommutative, then 
there exists at least 1 irreducible representation of G with higher dimension, 
and in this case the Fourier transform depends on the choice of bases for the 
irreducible representations. It seems as though this is what complicates the 
extension of the quantum algorithm for commutative groups to the noncom- 
mutative scenario. 

It turns out that for our present application it is most useful to use an 
equivalent notion of the Fourier transform. One may also think of the matrix 
coefficients as collected together in matrices. In this view the Fourier transform 
is a matrix- valued function on V. For each / G C[G], we define the value of 
the Fourier transform at an irreducible representation p G V to be 

V l G l geG 

If we take individual entries of these matrices, then we recover the coefficients 
in the basis of matrix coefficients. There is a Fourier inversion formula and 
therefore / is determined by the matrices {f(p)}p g p- 

We may now describe the noncommutative version of H ± . Let V p H be the 
elements of V p that are pointwise fixed by H, 

V p H = {v e V p | p(h)v = v, he H}. 
Let be the projection operator onto V p H . Then define 

The significance of this definition follows from the following elementary result. 

Theorem 8 Let Ih be the indicator function on the subgroup H ^ G. Then, 
for all p 6 r, we have that Ih{p) = Pp ■ 
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Corollary 9 Let sH be any coset of H ^ G. Then the previous theorem 
immediately yields I s h{p) = p(s)P p H ■ 

Let us briefly summarize the role of this result in the quantum algorithm. 
If we straight-forwardly apply the quantum algorithm described in the previ- 
ous section to the case where G is noncommutative, then we must determine 
the resulting probability amplitudes and the information gained by sampling 
according to these amplitudes. 

Recall that the state of the quantum system after the first observation is 
a superposition of states corresponding to the members of one coset. Thus 
the state may be described by the indicator function of a coset I s h- The final 
observation results in observing the name of a matrix coefficient \p,i,j). The 
probability of observing \p,i,j) is given by \c P: ij\ 2 where c Pj ij is the coefficient 
of pij in the expansion of I s h in the basis of matrix coefficients. The corollary 
above allows us, in theory, to compute these probability amplitudes. 

The algorithm described in the first part of this paper may be derived 
from these general methods. For a general noncommutative group it seems 
that these methods are necessary for an analysis of the resulting probability 
amplitudes. 
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